But there’s some good news: The NIST is currently overhauling these guidelines and they’ve just been finalized. One revised recommendation is that IT departments should only force a password change when there’s been some kind of security breach. Otherwise the changes we make are often incremental; when forced to switch out our passwords every 90 days, people tend to just swap out one character. That makes the bulk of passwords incredibly ineffective; this practice actually harms security rather than helping it.